Today, I learned a valuable lesson about the potential consequences of installing core system libraries from backports repositories in Debian Linux. While backports can be useful for getting the latest features and updates, they can also introduce unexpected issues, especially when it comes to core system libraries. The flatpak update failed after upgrading Curl to 8.10 from Backports in my Debian 12 system. Let me share what happened, why it happened, how to solve it, and what you can learn from my experience.
Table of Contents
The Issue: Flatpak Update Error
Recently, I tried to update my Flatpak applications using the flatpak update
command. Instead of a smooth update, I encountered the following error:
Updating 1/23… 0% 0 bytes/s**
OSTree:ERROR:src/libostree/ostree-fetcher-curl.c:526:sock_cb: code should not be reached
Bail out! OSTree:ERROR:src/libostree/ostree-fetcher-curl.c:526:sock_cb: code should not be reached
Aborted (core dumped)
After some digging, I discovered that the problem was caused by a package called libcurl3-gnutls
, which I had installed from the Debian Backports repository.
What Went Wrong?
In simple terms, libcurl3-gnutls
is a core system library that helps your system communicate with the internet.
When you install a package from the backports repository, you're essentially getting a newer version of that package than what's available in the stable Debian release. While this can be useful for getting the latest features, it can also cause compatibility issues, especially with core system libraries.
In my case, the newer version of libcurl3-gnutls
from the backports repository was causing the flatpak update
command to crash.
Some users have already reported this issue. The Debian developer Simon McVittie described this issue in this link as follows:
[...] You did already install a core system library (libcurl3-gnutls) from a repository other than stable (bookworm-backports), and that's what triggered this. If you can downgrade libcurl3-gnutls back to the version from stable, that should avoid this issue. Updating core system libraries like libcurl has a risk of regressions associated with it - that's why we have stable releases! - and that risk doesn't go away just because the package has been made available in bookworm-backports. [...]
Until a few days ago, I didn't know that I shouldn't install core system libraries from backports. So I downgraded the problematic package as the developer suggested.
How to Fix It
Fortunately, the fix is straightforward. You just need to downgrade the libcurl3-gnutls
package to the version that comes with the stable Debian release. Let us see how to do it:
Step 1: List Available Versions
First, you need to see which versions of libcurl3-gnutls
are available on your system. You can do this by running:
apt-cache policy libcurl3-gnutls
Sample Output from my Debian 12 system:
libcurl3-gnutls:
Installed: 8.10.1-1~bpo12+1
Candidate: 8.10.1-1~bpo12+1
Version table:
*** 8.10.1-1~bpo12+1 100
100 /var/lib/dpkg/status
7.88.1-10+deb12u7 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
7.88.1-10+deb12u5 500
500 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages
As you see in the output above, the installed version is 8.10.1-1~bpo12+1
, which is from the backports repository. "bpo" in the package name indicates that it is from backports. The stable version is 7.88.1-10+deb12u7
.
Step 2: Downgrade the Package
To downgrade libcurl3-gnutls
to the stable version, run:
sudo apt install libcurl3-gnutls=7.88.1-10+deb12u7
You'll see a confirmation prompt asking if you want to continue. Type y
and press Enter.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libnghttp3-9 libngtcp2-16 libngtcp2-crypto-gnutls8
Use 'sudo apt autoremove' to remove them.
The following packages will be DOWNGRADED:
libcurl3-gnutls
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 385 kB of archives.
After this operation, 100 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main amd64 libcurl3-gnutls amd64 7.88.1-10+deb12u7 [385 kB]
Fetched 385 kB in 1s (727 kB/s)
dpkg: warning: downgrading libcurl3-gnutls:amd64 from 8.10.1-1~bpo12+1 to 7.88.1-10+deb12u7
(Reading database ... 187778 files and directories currently installed.)
Preparing to unpack .../libcurl3-gnutls_7.88.1-10+deb12u7_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.88.1-10+deb12u7) over (8.10.1-1~bpo12+1) ...
Setting up libcurl3-gnutls:amd64 (7.88.1-10+deb12u7) ...
Processing triggers for libc-bin (2.36-9+deb12u8) ...
Now the package is downgraded to version 7.88.1-10+deb12u7
.
Step 3: Verify the Downgrade
After the downgrade is complete, you can verify that the package has been downgraded by running:
apt-cache policy libcurl3-gnutls
You should see that the installed version is now the stable version, 7.88.1-10+deb12u7
.
Step 4: Update Flatpak Applications
Finally, try running the flatpak update
command again. This time, it should work without any errors:
![[Update Flatpak Applications.png]]
Root Cause of the flatpak update Issue
If you've recently upgraded curl
to version 8.10.0 from backports or compiled from the source, you will get the same error when trying to update your Flatpak applications.
I thought replacing the backports version of Curl with the stable version will fix this issue, but it didn't. I had to downgrade the libcurl3-gnutls
package to fix it.
The root cause of the flatpak update
failure was an incompatibility between a newer version of the curl
library (8.10.0) and the libostree
library used by flatpak
.
- As mentioned in this bug report, a Debian user reported that after upgrading
curl
to version 8.10.0,flatpak update
began failing with an error message indicating code in theostree-fetcher-curl.c
file should not be reached. - This was traced back to a commit in the
libcurl
library that changed how sockets are handled. - The issue was particularly pronounced for users who had installed
libcurl3-gnutls
from thebookworm-backports
repository, as this provided a newer version oflibcurl
than the stable Debian release. - Downgrading
libcurl3-gnutls
to the stable version was confirmed as a workaround. - The maintainer of the
ostree
package in Debian applied patches from the upstream project to address the incompatibility withcurl
8.10.x. - The fixed version of
ostree
was initially released in the unstable and testing Debian branches and later made available in the stable branch through thebookworm-proposed-updates
repository.
Therefore, the flatpak update
failures stemmed from a change in libcurl
that affected libostree
's functionality. This was resolved by applying patches to libostree
to restore compatibility with the newer curl
library.
So, If the flatpak update command fails after upgrading to Curl 8.10.0, simply downgrade the libcurl3-gnutls
back to the version from stable repository as described above.
Potential Consequences of Installing Core System Libraries from Backports Repository
- Regressions: Upgrading core system libraries like libcurl from backports carries a risk of regressions. Regressions are unintended consequences of software updates, causing existing functionalities to break or perform worse. This is why stable releases exist, to minimize such risks.
- Compatibility issues: Installing a newer version of a core library from backports can lead to compatibility issues with other software that relies on the older version. This is because the updated library might have changes that are incompatible with the software designed for the previous version.
- Dependency Conflicts: Backported libraries may have dependencies on newer versions of other libraries that are not available in the stable release. This can create dependency conflicts and prevent the proper functioning of the system.
Lessons Learned
1. Stick to Stable for Core Libraries
When it comes to core system libraries, it's generally safer to stick with the versions provided by the stable Debian release. These versions have been thoroughly tested and are less likely to cause compatibility issues.
2. Use Backports Wisely
While backports can be useful for getting the latest features, they should be used with caution. Only install packages from backports if you understand the potential risks and are prepared to deal with any issues that arise.
3. Know How to Downgrade
If you do encounter issues after installing a package from backports, knowing how to downgrade to a stable version can save you a lot of time and frustration.
Conclusion
Installing core system libraries from backports can introduce unexpected issues, as I learned the hard way. By sticking to stable versions and understanding the potential risks, you can avoid these problems and keep your system running smoothly. Remember, sometimes the latest isn't always the greatest, especially when it comes to core system components.
I am not saying Backports is not recommended. Just avoid installing system core libraries from backports. You can use it to install other apps.